Cloud Forensics: CAINE7 on AWS

If you work with AWS, you may have to perform a forensics analisys at some point. As discussed in previous articles here, there are many tasks we can achieve in the cloud.

Here is a quick quide based on AWS-CLI on how to install, upload and use the well known CAINE7 distribution up in the Amazon Cloud importing it as an EC2 AMI:

First of all start CAINE7.iso as live CD in Virtualbox, 12GB of disk in VHD format will be fine ( if you don’t use VHD or you have VMDK instead you can convert it with “VBoxManage clonemedium CAINE7.vmdk CAINE7.vhd –format vhd”)

Inside CAINE:

Run BlockON/OFF app from Desktop icon, select your virtual hard drive and make it Writable.

Go to Menu / System / Administration / gParted

In gParted Device / Create Partition Table… msdos

Partition new create a 10GB partition and leave the rest empty

Create another partition linux-swap for the remaining 2GB

Edit – Apply all operations

Run Systemback (installer) form the Desktop icon.

System Install, fill the form with user full name: caine, system user: ec2-user, your password and hostname: caine. Then Next

Select the 10GB partition and set the mount point /

Click Next and the installation will start

Once the installation is finished you can stop the virtual machine, remove the liveCD, start it and log in to the VM again to do some additional steps inside your just installed CAINE7.

Update and upgrade:

sudo apt-get update; sudo apt-get upgrade

Install aws-cli:

sudo pip install aws-cli

Now we will install some dependences needed to get access via RDP once we run CAINE in AWS, just like if it is in our local workstation.

Good, we know the AMI id so let’s create a new instance inside an existing VPC and a Public Subnet (I use t2.medium with 2GB of RAM), please use your own Security Group with RDP and SSH open and your own ssh keyname: